apparmor-parse cannot parse profile with stacking //&

Bug #1639660 reported by Yuqiong Sun on 2016-11-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
John Johansen

Bug Description

I am experimenting with the new profile stacking feature of AppArmor on Ubuntu 16.10.

However, when trying the load a profile with stacking ("//&" ), the apparmor-parser will report the following erros:

AppArmor parser error for /etc/apparmor.d/root.test.shell in /etc/apparmor.d/root.test.shell at line 8: syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE.

The system is Ubuntu 16.10 Server edition. I am trying to confine a test program at /root/test/shell. The profile looks like the following:

#include <tunables/global>
/root/test/shell {
  #include <abstractions/base>

  /bin/touch ix,
  /root/test/read px -> readtest1 //& readtest2,
  /root/test/shell mr,

  profile readtest1 {
    #include <abstractions/base>
    /root/test/file1 r,
    /root/test/read mr,
  }

  profile readtest2 {
    #include <abstractions/base>
    /root/test/file2 r,
    /root/test/read mr,
  }
}

If the stacking works, when the /root/test/shell execs /root/test/read, it should not be able to read either file1 or file2.

I am not sure if I am using the stacking in the wrong way, or there is a bug in userspace support for stacking.

John Johansen (jjohansen) wrote :

Yuqiong Sun,

the parser is sensitive to white space. If your profile has white space in the name you will need to use quotes around it

  /root/test/read px -> "readtest1 //& readtest2",

otherwise you will need to remove the white space and specify it as

  /root/test/read px -> readtest1//&readtest2,

ideally the parser would properly handle white space in this situation and properly parse this but at the moment it doesn't. If this fixes your problem I will mark this bug as a wish list feature. If not please let us know so we can further debug the problem.

Yuqiong Sun (yus138) wrote :

Hi John,

Thanks for the quick reply.

I did what you suggested, but it looks like it is still not working.

After I remove the whitespace, I still have the same error:

AppArmor parser error for root.test.shell in root.test.shell at line 7: syntax error, unexpected TOK_ID, expecting TOK_END_OF_RULE

Then I tried the quote, the error message changes to the following:

AppArmor parser error for root.test.shell in root.test.shell at line 7: Found unexpected character: '"'

Thanks.

John Johansen (jjohansen) wrote :

Alright I have replicated and there is indeed a problem here. It will work if the first profile starts with a / but fails when it doesn't

Changed in apparmor (Ubuntu):
status: New → Confirmed
assignee: nobody → John Johansen (jjohansen)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related questions